Bind 9, Wildcard Records and Road Runner

Paul Vixie vixie at
Sat Oct 9 20:00:07 UTC 2004

> I am concerned that ddns will not suffice.  As it stands we would need to
> add an RR for each host added to the system (for example, we would add an
> RR for  The problem is that there would still be no SOA for each
> host, if I understand correctly. Please correct me if I am wrong.  I am
> under the impression that the use of wildcards is filtered by looking for
> a corresponding SOA and thus if we appended RRs to the .mp zone file then
> we would still end up with no SOA, is this correct?

technically, that's not correct.  effectively, that's pretty close.

> Perhaps you can briefly explain how ddns would help?

currently widely deployed dns filtering technology insists that all responses
from a TLD zone's authority server be delegations (empty answer section,
nonempty authority and additional sections).  this filtering is controversial
since it keeps any TLD zone from having its own content, it can only delegate.

your supposition about SOA is not completely without merit, since an SOA RR
will appear "under" the delegation point pointed to by the TLD server's
response.  so, in effect, there does have to be an SOA, it's just that it
doesn't appear in the TLD zone, and so, is a secondary consideration with
regard to the widely deployed DNS filtering that's affecting your plans.

using ddns, you can create new child zone delegation points.  therefore if
your registry process included the following steps, it would have the
effect of allowing near-instantaneous appearance of new subdomains (which
you can interpret as "new url's whose domain-part ends in .MP") without the
use of wildcards and without running into the widely deployed DNS filtering
(which goes by the name of "BIND's delegation-only option").

1. a new subdomain is to be created, $FOO.MP.
2. append a new "zone" directive to the end of your named.conf file, using
   a shared primary zone file, such that new subdomains have known content.
3. use "rndc reconfig" to cause new zone to be loaded and served.
4. use "nsupdate" (for DDNS, see RFC2136) to add new NS RRs to "MP" zone.

that's it.  the whole process takes less than one second, and is fully
automated, fully secure, uses no wildcards, and encounters no filtering.
it will work on BIND9 (preferred) or BIND8 (if you must; use ndc rather
than rndc in this case).

note that this is a BIND-specific solution, but then this is a BIND-specific
forum (either bind-users@, or comp.protocols.dns.bind, depending on one's
point of view.)


> >>When a .mp domain is registered their site and associated services are 
> >>automatically created and are immediately available for the customers 
> >>use.  We accomplish this by using a wildcard DNS record in bind for all 
> >>.mp domains:
> >>
> >>*.mp.                   IN      A
> >>
> >>This record can be found in the mp zone file.  When a site doesn't exist
> >>they still see a page displaying a message.
> > 
> > you don't need a wildcard for this, and some recent widely deployed changes
> > will keep it from working reliably in a tld, in any case.  use ddns.
Paul Vixie

More information about the bind-users mailing list